DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Spoofed MAC's, unauthorised IP's, rouge Access Points???

  • 2blueuk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
29 Jun 2009 17:04 #56514 by 2blueuk
Hey,

I recently brought a vigor 2820n for a small office network, largely using wireless devices, so as you can inmagine when setting up the router and clients, security was my biggest concern (and my old BT Business Hub proved as useful as frisbe in a wireless network environment).
I used MAC to IP Bind (strict mode) and made sure those very same MAC's were used in ARP Cache tables in my other WAP's.
Just noticed this morning I have three extra devices with the weirdest MAC addresses and although strict MAC to IP bind was done, these devices still managed to get IP addresses from DHCP server.
Just to compare if anyone else is having the same problems the addresses are;
00:40:2B:4F:56:A5
E9:EB:B3:A6:DB:3C
4D:C8:43:BB:8B:A6
Now I have no doubt that these are fake but interestingly enough they all have the same host name 'detective'.
More interestingly one of them had the exact same IP with my network printer (on wire) but I didnt detect any conflicts. Also you cannot ping any of the devies although you can see them in DHCP table under diagnosis.
If I only use MAC to IP bind and turn DHCP server off would the computers still get the same IP's that were assigned to their MAC's?

Any suggestions would be welcome. Because at this point all I can think is WTF???

Please Log in or Create an account to join the conversation.

More
29 Jun 2009 17:13 #56515 by anyoldname
A quick google on one of the MAC address gives a clue...

Do you have a Windows Server 2003-based or Windows Small Business Server 2003?

see: http://support.microsoft.com/kb/945948


- ian

Please Log in or Create an account to join the conversation.

  • 2blueuk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
29 Jun 2009 17:49 #56516 by 2blueuk
hmmm...actually I am running a few windows 2003 systems, non that I recently configured and non that are DC's.
But one of the servers is running total network monitor using ICMP protocols, that might be why...

Thanks for the heads up dude.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami